Still looking for a way to run Apple Security Updates now version 11.5 on computers with no user intervention? Running Jamf Pro Version 10.30 nothing working Softwareupdate -i -a -R says is works, but downloads and nothing happens. Any workarounds, why is Jamf not resolving this issue, its been months?

We began prepping our lifecycle replacements in earnest over the last two weeks, and I have become keenly aware of this problem.  The Management Command method of running updates is unreliable at best, and having to do so one machine at a time is not reasonable.  The ability to schedule updates (not just manually initiate them via a mass action) needs to be a priority.

I have been trying Nudge.  As we need to provide some info to end user before we move with an update.  Still in testing phase for us.

https://community.jamf.com/t5/jamf-pro/nudge-macos-updates/m-p/243467#M228760

Hi Sir

I'm new to jamf could you please share your workflow how you done it

The issue is that there used to be a great work flow in Jamf Pro for running Apple Security updates 

Policies

Payload: Software Updates

Install from Apple Software Update Server

This worked great up until about 6 months ago! The issue is with Intel based iMacs running mac OS 11 Big Sur. Now this Policy no longer works. Apple's response is that they are not an enterprise solution and that is why you pay for an MDM like Jamf Pro. It is there issue. 

Apple is requiring a manual reboot on M1 Apple Silicon Macs and that we know, but I am still just trying to update Intel based iMacs which are requiring a manual reboot like the M1s so obviously there's a disconnect between Intel and M1s in Jamf Pro. 

Tried a dozen scenarios and this is the latest, the issue is it will download the Apple update, but I have to log in to each iMac and click Restart which is a bit challenging when you have hundreds. 

Latest Policy:

Just Files & Processes: softwareupdate -iaR --force

I got this to work on one Intel iMac and that gave me hope, but it is not working. Same issue will not Restart automatically.

#!/bin/sh

#API login info
apiuser="Temp User"
apipass="Temp Password"
jamfProURL="https://ORG.jamfcloud.com"

#Grab serial number, OS Version of computer and CPU Type
SerialNumber=$(system_profiler SPHardwareDataType | grep 'Serial Number (system)' | awk '{print $NF}')
macOSVersion=$(sw_vers -productVersion)
arch=$( /usr/bin/arch )

#Check macOS Major
CheckIt=$(echo $macOSVersion | cut -d . -f 1)

#Set xpath option based on macOS major version
if [[ "$CheckIt" == "11" ]]
    then
        xpath="xpath -e"
    else
        xpath="xpath"
fi

function scheduleOSUpdateViaAPI() {

    #Grab the computers JSS ID
    jamfProCompID=$( /usr/bin/curl -s -u ${apiuser}:${apipass} ${jamfProURL}/JSSResource/computers/serialnumber/${SerialNumber}/subset/general | $xpath "/computer/general/id/text()" )

    #Initiate the InstallForceRestart key (Download and install the update, and restart computers after installation), To allow for updates without user interaction on target computers with Apple silicon, Bootstrap Token for the computers must be escrowed with Jamf Pro.
    /usr/bin/curl -s -X POST -H "Content-Type: text/xml" -u ${apiuser}:${apipass} ${jamfProURL}/JSSResource/computercommands/command/ScheduleOSUpdate/action/InstallForceRestart/id/${jamfProCompID}

}

if [[ "$arch" == "arm64" ]]; then
    scheduleOSUpdateViaAPI
else
    /usr/sbin/softwareupdate --install --all --include-config-data --restart --force
fi

exit 0

from my testing, that API call AND from the GUI does nothing to the m1 air and mac mini I have.  They dont restart or install the updates at any point 😞

softwareupdate -i -a -R

Does this notify the user that they're machine is restarting or does it run silently in the background?

We use the same process and notify the user via the policy.  It's simple but we've had a lot of issues with Macs consistently updating.  I cannot get it to work on M1's either

not sure if it works for you, but the API command on a 11.3.1 M1 mac mini does not work, neither does GUI, even with the new RC Jamf vers

what command was this?

the softwareupdate one?

lastly, was this for minor or major? IIRC minor works without creds along with safari or what not, but its the majors that cause problems, but i could be mistaken

How is Nudge working out for you? We are reluctant to add another agent on a device for running updates. So far one of our techs is messaging people directly.  It seems to work better than 2 communication emails.  We don't have 100s of Macs yet and only about 51 people were on 11.5.1 or less but all on Big Sur.

I have tried using softwareupdate -i -a -R and User Interaction with some success, but still not good enough.  The issue is the user is not notified a reboot will occur (even after adding in the Reboot Policy) . Once the update is downloaded the device just reboots. The download is really slow (as mentioned elsewhere  here) and end users are not sure if it is actually working.  
This leads into another issue.  The time is UTC time which is challenging when you are dealing with Macs on a global scale.

I then resorted to this Babodee.   It took me a long time to understand what it does and had various results.  Perhaps it was the VM not working liking the updates and snap shot restoring.  I am still struggling with Big Sur Updates (from 11.2.3, 11.3.x and 11.4) and snuggling to understand the how to configure the script.

It really has been a challenge trying to find a method which allows the users to defer for 48hrs then its forced...and work consistently. 

Mass emails asking users to update has work little bit.  I now have a Jamf Notification Message which appears on users devices 1x per day informing them to update their machine.

Finally, one of our techs is messaging people directly telling them to update (50 or so)  This method, although manual and slow is having the biggest affect.

Let's hope Monterey resolves updating.

#!/bin/sh

#############################################################################################
# - The purpose of this script is to allow softwareUpdates for macOS Big Sur on Intel/M1's
# - This script will resolve the need for user input during software updates
# - The password will be Encrypted for security reasons
#
# - Created by: Ian Nelson
# - Modified:   DeWon Farris    6/3/2020
# - Version:    1.1     #Encrypted API password
#############################################################################################

# Decrypt the API password
function DecryptString() {
    echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"
}

#API login info
apiuser="APIUser"
apipass=$(DecryptString $4 'string.goes.here' 'key.goes.here')
jamfProURL="https://company.url.here"

#Grab serial number and OS Version of computer
SerialNumber=$(system_profiler SPHardwareDataType | grep 'Serial Number (system)' | awk '{print $NF}')
macOSVersion=$(sw_vers -productVersion)

#Check macOS Major
CheckIt=$(echo $macOSVersion | cut -d . -f 1)

#Set xpath option based on macOS major version
if [[ "$CheckIt" == "11" ]]
    then
        xpath="xpath -e"
    else
        xpath="xpath"
fi

## Curl API to get to install software Updates ASPAP after user chooses to delay or install now
jamfProCompID=$( /usr/bin/curl -s -u ${apiuser}:${apipass} ${jamfProURL}/JSSResource/computers/serialnumber/${SerialNumber}/subset/general | $xpath "/computer/general/id/text()" )
echo $jamfProCompID
/usr/bin/curl -s -X POST -H "Content-Type: text/xml" -u ${apiuser}:${apipass} ${jamfProURL}/JSSResource/computercommands/command/ScheduleOSUpdate/action/installASAP/id/${jamfProCompID}


exit 0

is this with the latest version of Jamf? i think 10.32 or whatnot?

I tested the GUI iteration of this when i was RC'ing 10.32 and it worked, but it ended up rebooting at an undetermined time, thus out of the control of the user and myself.

Also couldnt do a schedule or anything, it just ran it as a management task.

Lastly it didnt give me any options aside from I think the type of update, like all or some aspects of the available updates (gotta double this part).

Based on that testing scheme, I dont have a reliable way to allow a user to get the update and reboot without a random interruption. I think the API would work the same or at least similarly to the GUI, but I am still left to the mercy of "random" reboot.

so this works, tested on Big Sur M1 machines

https://{{url}}/JSSResource/computercommands/command/ScheduleOSUpdate/action/install/id/:id

and while the command respects comma seperated values, anyone know how to get the information from an array to then do a one liner with commas using bash?

example: https://{{url}}/JSSResource/computercommands/command/ScheduleOSUpdate/action/install/id/9,100,92,1,500

I'm trying to implement this into my environment, and it seems to be working, but we always get an administrative pop up that reads "SoftwareUpdateNotificationManager is trying to install Apple software," so there is still a requisite user interaction.

Does anyone know what this is and how to pre-approve/skip/suppress this? It's driving me crazy!

Sorry I am an idiot. What does an idiot like me do with this info. How is this invoked? Is this all the info needed or does it fit someplace in a script? Step by step would be very helpful.

@TSOAFTVPPC the steps are a little spread out, but all the info you need for this to kick it off (successfully or otherwise) is here in this thread - feel free to look at my other entries in this post to get a better idea.

1. i run the command in postman as a test, but you can script it if you want

2. replace URL variable with your instance

3. the numbers after "/id/" are the computer ids of the machines you want to target. mine are out of date big sur machines only

4. not included here but something you need to look into is adding credentials to postman, but you can choose basic auth or token, or anything that you have access to really.

does it actually require interaction or is it more of a notification prompt?

if you can share a screenshot thatd be awesome.

What I am doing is running that command in File and Processes in a policy that is set to a smart group that lists if any machine has an update available. I also have it under the user interaction tab set for a 7 day duration with some basic information under the start message field. Basically stating if they fail to install the update before the allotted time their machine will restart with no warning.

This does pop up a management action window stating the machine has an update and allows them to defer until that 7 day period is reached. If they fail to update before then their machine will update and reboot with our warning. Although still not the best does give the user at least a little heads up.

From I have read apple wants to make it even harder by forcing the use of mass action commands. So all machines that meet a set criteria Admins push a button that forces all machines to download/install any update and force reboot the machine with no warning at all.

To use bash variables inside a curl URL, enclose the variable with curly braces: ${variable}

url="jamf.acme.com"
curl -sS "https://${url}/JSSResource/computercommands/command/ScheduleOSUpdate/action/install/id/9,100,92,1,500"

I've just started running into this same issue. Did you ever come up with a way to pre-approve this message?

Just wanting to add a "we're also having this issue" note to this as we have just moved from Catalina to Big Sur this year. 

Would love to see some JAMF input into this! 

I have created a 'feature request' to fix this. Feel free to give it a vote: https://ideas.jamf.com/ideas/JN-I-25777

Apple Security Updates Big Sur 11.6.3 and 11.6.4 are not downloading and the Scripts and Policies & Procedures & Mass Action are not working well for me since Jamf Pro Cloud 10.35 updated.

• Files and processes: softwareupdate -iaR --force (the Policy is just hanging not even working
• Scripts essentially running this command: /usr/sbin/softwareupdate --install --all --include-config-data --restart --force (the Policy is just hanging not even working)

In the past these scripts worked and downloaded which I ran overnight. Then when I came in I had to log int Start the Update but the long tedius part downloading was completed. Now the System Preferences just hang. I have to go to Terminal and run: sudo /bin/launchctl kickstart -k system/com.apple.softwareupdated and then go back into System Preferences and run manually sometimes the updates are there and most times not.

I did not. I've been so backed up with other issues, I've put this one on the back burner. I keep hoping beyond hope that each updated to either MacOS or JAMF will resolve this for me.

No such luck, yet.

I've finally found time to get back to this. I am currently testing the following command:

curl -X POST -sku ${apiUsername}:${apiPassword} ${jssURL}JSSResource/computercommands/command/ScheduleOSUpdate/action/installASAP/id/${ComputerID}

Which delivers this prompt:

 So, in short, this is not really an "unattended" solution.